Privacy Policy | Tickflow Capital - Data Protection & Privacy

1. Who We Are

Tickflow Capital Limited ("Tickflow Capital", "we", "us", or "our") is a trading technology and quantitative research company incorporated in Kenya under the Companies Act 2015.

Registered name: Tickflow Capital Limited
Registration number: PVT-6Y1YWM6V
Registered address: Ruiru, Kiambu, Kenya
Contact email: info.tickflowcapital@gmail.com

We operate the website tickflowcapital.com and the TIES (Trading Intelligence & Execution System) platform. In the context of this Privacy Policy, we are the data controller for personal data collected through our website and communications. Where we process data on behalf of commercial clients, we may act as a data processor as defined in the Kenya Data Protection Act 2019.

2. Data We Collect

We collect personal data only to the extent necessary for legitimate business purposes. We do not collect excessive, irrelevant, or speculative data.

2.1 Data You Provide Directly

Category	Examples	How Collected
Identity data	Full name, job title, company name	Contact form, email enquiries
Contact data	Email address	Contact form, direct email
Communication data	Content of messages, enquiry type, message body	Contact form submissions
Commercial data	Product interest, firm type, use case descriptions	Contact form selection fields

2.2 Data Collected Automatically

Category	Examples	Purpose
Technical data	IP address, browser type, operating system	Security, fraud prevention
Usage data	Pages visited, time on site, referral source	Analytics (if enabled)
Device data	Screen resolution, device type	Site optimisation

2.3 Data We Do Not Collect

We do not collect:

Financial account numbers, bank details, or payment card data (payments, if applicable, are handled by Stripe - see Section 5)
Government-issued identification numbers (unless required for KYC/AML compliance in specific commercial arrangements)
Biometric data
Health or medical data
Data from individuals under 18 years of age
Social media profile data beyond what you voluntarily share in direct communications

          No account system currently: Tickflow Capital Limited does not currently operate user accounts or login portals for its public website. Data collected is limited to that submitted via our contact form and standard server-side technical logs.
        

3. How We Use Your Data

We use personal data only for specified, explicit, and legitimate purposes. We do not use data for automated profiling or decision-making that produces legal effects.

Purpose	Data Used	Legal Basis
Responding to enquiries and contact form submissions	Identity, contact, communication data	Legitimate interest / Contractual necessity
Providing information about our products and services	Identity, contact, commercial data	Legitimate interest / Consent
Managing commercial relationships and contracts	Identity, contact, commercial data	Contractual necessity
Complying with legal and regulatory obligations	As required by law	Legal obligation
Improving our website and services	Technical, usage data (anonymised)	Legitimate interest
Security monitoring and fraud prevention	Technical data	Legitimate interest

We do not use your personal data for unsolicited marketing, selling to third-party advertisers, or any purpose not listed above. We do not sell personal data.

4. Legal Basis for Processing

Under the Kenya Data Protection Act 2019, we process personal data on the following lawful bases:

Consent: Where you have given clear, informed consent (e.g., optional communications).
Contractual necessity: Where processing is necessary to fulfil a contract with you or to take steps at your request prior to entering a contract.
Legal obligation: Where we are required to process data to comply with a legal or regulatory obligation.
Legitimate interests: Where processing is necessary for our legitimate business interests (e.g., security, fraud prevention, service improvement), provided those interests are not overridden by your rights and interests. We have assessed each such use and determined it is proportionate and necessary.

Where we rely on consent, you have the right to withdraw that consent at any time by contacting us at info.tickflowcapital@gmail.com. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We share personal data only in the following limited circumstances:

5.1 Service Providers (Data Processors)

We engage the following third-party service providers who may process personal data on our behalf:

Provider	Purpose	Location
Cloudflare Inc.	CDN, DDoS protection, DNS, security	United States
Web3Forms	Contact form submission processing and email delivery	United States
Stripe Inc. (future Phase 4)	Payment processing for commercial subscriptions	United States
Oracle Cloud Infrastructure	VPS hosting for backend services	United States / Global
GitHub Inc.	Source code hosting and site deployment	United States

All service providers are contractually bound to process personal data only on our instructions and in accordance with applicable data protection laws.

5.2 Legal Disclosure

We may disclose personal data to:

Regulatory authorities or law enforcement agencies where required by law, court order, or legal process.
Competent authorities for compliance with anti-money laundering (AML) or counter-terrorism financing (CTF) obligations.
Professional advisers (lawyers, accountants, auditors) bound by confidentiality obligations.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the acquiring entity. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.

6. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law.

Data Category	Retention Period	Basis
Contact form submissions (general enquiries)	12 months from date of submission	Legitimate interest in follow-up and business development
Commercial correspondence and contracts	7 years from contract end date	Kenya Companies Act; tax and legal obligations
Payment records (if applicable)	7 years	Kenya Tax Procedures Act 2015
Technical logs (server, security)	90 days	Security monitoring and incident investigation
Marketing communications data	Until consent is withdrawn, or 2 years of inactivity	Consent

When personal data is no longer required, we securely delete or anonymise it. Anonymised data (which can no longer identify you) may be retained indefinitely for research and analytical purposes.

7. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure.

Technical Measures

All data in transit encrypted via TLS 1.2 or higher
Website served via Cloudflare with DDoS protection and HTTP/3 support
Backend services hosted on Oracle Cloud with restricted network access
Access controlled via Cloudflare named tunnels - no direct public exposure
Redis data encrypted at rest and access-controlled
PostgreSQL databases with role-based access control

Organisational Measures

Access to personal data limited to personnel with a legitimate need
Incident response procedures in place
Regular security review of external-facing systems
Third-party service providers assessed for security prior to engagement

No transmission of data over the internet is completely secure. While we take all reasonable precautions, we cannot guarantee the absolute security of data transmitted to or from our website.

          To report a security vulnerability or data breach, contact us immediately at info.tickflowcapital@gmail.com or via our security disclosure at tickflowcapital.com/.well-known/security.txt.
        

8. Your Rights Under Kenya's Data Protection Act 2019

As a data subject, you have the following rights under the Kenya Data Protection Act 2019:

Right	What It Means
Right of access	You may request confirmation of whether we hold your personal data and obtain a copy of it.
Right to rectification	You may request correction of inaccurate or incomplete personal data.
Right to erasure	You may request deletion of your personal data where there is no compelling reason for its continued processing.
Right to restriction	You may request that we restrict the processing of your data in certain circumstances.
Right to data portability	You may request a copy of your data in a structured, machine-readable format.
Right to object	You may object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent	Where we rely on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at info.tickflowcapital@gmail.com. We will respond within 30 days. We may require you to verify your identity before processing your request.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Office of the Data Protection Commissioner (ODPC) of Kenya at www.odpc.go.ke.

9. International Data Transfers

Some of our third-party service providers are located outside Kenya (primarily in the United States). When we transfer personal data internationally, we ensure appropriate safeguards are in place, including:

Contractual clauses that require the recipient to protect personal data to standards equivalent to those under Kenyan law
Use of service providers that operate under recognised data protection frameworks (e.g., EU Standard Contractual Clauses where applicable)
Assessment of the legal environment in the recipient country to ensure adequate protection

By submitting data through our website, you acknowledge that your data may be transferred to, stored, and processed in countries outside Kenya, subject to the safeguards described above.

10. Children's Privacy

Our website and services are intended solely for adults aged 18 and over. We do not knowingly collect personal data from individuals under 18 years of age. Our products involve financial technology and trading systems that are not appropriate for minors.

If we discover that we have inadvertently collected personal data from a minor, we will delete that data immediately. If you believe we have collected data from a minor, please contact us at info.tickflowcapital@gmail.com.

11. Cookies and Tracking

Our website uses limited cookies for essential functionality. We do not use advertising cookies, cross-site tracking, or third-party analytics tools that collect personal data without your consent.

For full details on the cookies we use, how we use them, and how to control them, please read our Cookie Policy.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or operational changes. When we make material changes, we will:

Update the "Last Updated" date at the top of this page
Post the updated policy on our website
Where required by law, notify affected individuals directly

We encourage you to review this policy periodically. Your continued use of our website or services after changes are posted constitutes your acceptance of the updated policy.

13. Contact Us

For questions, concerns, or requests relating to this Privacy Policy or your personal data:

Email: info.tickflowcapital@gmail.com
Entity: Tickflow Capital Limited
Address: Ruiru, Kiambu, Kenya

We aim to respond to all privacy-related enquiries within 30 calendar days. For formal complaints, you may also contact the Office of the Data Protection Commissioner of Kenya.